In Week 42 you decided what detection sources you will monitor and analyze. Now you need to make it happen. Develop and start implementing a plan to monitor and analyze each OT detection information source above the line in Week 42.
The task this week is to, at a minimum, develop and commit to a plan with completion dates for your determined OT detection sources. If it looks overwhelming, if it can’t be accomplished in six months or less, then go back to Week 42 and move the line up. Choose and commit to using a smaller number of OT detection information sources.
Note: Even if the information source is not used for detection, it will be available for after incident response and recovery if you performed the Week 43 task.
Monitor
How will you monitor each OT detection information source? Will you go directly to the information source every day? Every week? Will you send it to a SIEM? Will you send it to an Operator Station or Engineering Work Station? Will you send email alerts to the Engineer On Call for specific events?
Hopefully the OT detection information sources rated high on efficiency. It’s likely impractical and certainly inefficient for a person to review long log files. If you have a low or medium efficiency data source, consider if there are filters, event logic, or other methods that can reduce a large amount of data to a smaller amount of data with minimal increase in detection false negatives (missed, non-detected attacks).
Analyze
The analyze step can be simple. Whenever I receive an alert, it triggers an action. Whenever we receive an endpoint detection alert the Engineer On Call must isolate and investigate the cyber asset that generated the alert.
The analyze step can combine further automated and manual analysis. For example, we will send all the detection alerts from an OT detection information source to the OT SIEM where it will be analyzed by code to generate additional alerts that will be presented to a 24×7 manned SOC for further analysis and action.
_________
For each OT detection information source document the monitor and analysis approach you are committing to.
OT Detection Information Source | Monitor | Analysis